A common use case in access management is step up authentication. ForgeRock AM is very good for that. The OIDC standard talks about step up authentication and level of authentication requested by the client.

To do so, one could use acr_values which is a voluntary claim, but the openid specification says : « the Authorization Server is not required to provide this Claim in its response. »
In order to achieve that, the essential claim acr is used, it is describe in chapter 5.5.1.1. Requesting the “acr” Claim of the OpenID Core (see: http://openid.net/specs/openid-connect-core-1_0.html#acrSemantics)

In order to demonstrate the functionality, use the following example based on AM 5.1:

In the AM console, browse to Realms >Realm Name>Services, and then click OAuth2 Provider.
Configure the mapping between acr values (in the example 1=ldapService and 2=HOTP chain) in the authorization request and AM authentication chains.